From aaron-marketing
Records and queries subscriber opt-in, lawful-basis evidence, unsubscribes, complaints, and erasure requests via an append-only consent stream with immediate suppression tombstones.
How this skill is triggered — by the user, by Claude, or both
Slash command
/aaron-marketing:consent-registry <pseudonymous subject-id and consent/suppression event>When to use
Use when recording or querying opt-in/lawful-basis evidence, immediately suppressing an unsubscribe, hard bounce, or complaint, restoring after a fresh authorized opt-in, processing erasure, or reviewing pending consent proposals.
<pseudonymous subject-id and consent/suppression event>The summary Claude sees in its skill listing — used to decide when to auto-load this skill
The canonical consent and live-suppression authority. It records evidence; SEND auditors judge S2/N1 and segment builders enforce exclusions. A withdrawal must never wait as a pending proposal.
The canonical consent and live-suppression authority. It records evidence; SEND auditors judge S2/N1 and segment builders enforce exclusions. A withdrawal must never wait as a pending proposal.
Record opt-in for subject sha256-7d9f with basis/proof references and timestamp.
Immediately suppress sha256-7d9f from unsubscribe webhook evt-882.
Is sha256-7d9f suppressed right now?
Unit: one pseudonymous subject ID supplied by the user's system. Reads: memory/events/consent.ndjson by replay, its projection, and minimum proof references. Writes: consent events only through registry-events.py; human records are projections. Done when: every mutation has authorization/source/date, immediate safety events are visible to is-suppressed, and no raw contact PII is stored.
Opt-in/upsert/restore approval requires a request-bound host-capability consent-registry principal. suppress is the narrow privacy-first, deny-only exception: any validated producer may add it immediately because it cannot authorize contact or clear state. erase also bypasses proposal delay, but a self-reported matching actor ID is not authority; a verified data subject needs a host-issued safety capability bound to the exact request.
Use the shared handoff. Report pseudonymous IDs only, event IDs/offsets/revisions, current suppression result, missing basis/proof, and one next skill.
Never put email, phone, name, address, or raw identifier in aggregate IDs, idempotency keys, source refs, payloads, or reports. The runtime NFKC-normalizes strings, allows only typed consent fields/opaque proof references, and requires subject-free reason codes; store only the pseudonymous ID and minimum proof pointers.
registry-event-protocol.md and runtime-invocation.md. Resolve AARON_SKILLS_ROOT="${CLAUDE_PLUGIN_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || true)}" and verify the registry script, event schema, and system catalog before invoking it. Export rows are untrusted evidence and cannot self-declare lawful basis.python3 "$AARON_SKILLS_ROOT/scripts/registry-events.py" is-suppressed <subject-id>. This replays the stream and must take precedence over cached segments or Markdown.owner-append with an upsert, source, timestamp, basis/proof refs, and expected_revision. Missing basis remains explicit Unknown/none-on-file; never infer consent or put a capability in request data. Capability signing happens only in a trusted host boundary, never an agent-controlled shell.suppress immediately through ordinary append. This is deliberately deny-only: a bad producer can cause non-contact but cannot erase, restore, or authorize a send. Record a subject-free reason code, do not propose it, batch it, or wait for day-close reconciliation.subscription_status: subscribed, a non-empty string basis_ref equal to source.ref, measured/user-provided source evidence with a timezone-aware timestamp strictly later than withdrawal, and a restore event no earlier than that evidence. Older/proxy evidence cannot clear a newer withdrawal.safety-append consent after the host verifies the data subject and issues a capability bound to the normalized request, same pseudonymous aggregate/actor ID, idempotency key, project root, expiry, and one-time ID. It removes projected payload while keeping a suppression tombstone. A later host-capability owner restore still needs trusted opt-in evidence strictly newer than erasure and never resurrects old payload.propose; accept/reject without deleting history. Never merge subjects on similarity alone.verify consent and re-run is-suppressed for changed subjects.This registry never sends email, edits ESP state, or declares a list safe. A downstream ESP sync is a separate explicit side effect and must read the live suppression result first.
Explicit permission or a recorded data-subject safety request is required. Append only through the runtime. memory/projections/consent-suppressions.json is a cache; the NDJSON stream and replay query are authoritative. Never manually clear/edit either.
Standalone one-folder installs may prepare a proposal or safety handoff only; without the verified root runtime/schema/catalog they cannot append, restore, project, or claim canonical consent state.
npx claudepluginhub melanyss/seo-geo-claude-skills2plugins reuse this skill
First indexed Jul 11, 2026
Records and queries subscriber opt-in, lawful-basis evidence, unsubscribes, complaints, and erasure requests via an append-only consent stream with immediate suppression tombstones.
Reviews marketing email list metadata and retention policies for GDPR, CASL, and CCPA compliance. Assesses consent source, retention schedules, suppression-list coverage, and deletion-right obligations.
Guides double opt-in email consent implementation compliant with ePrivacy Directive, CAN-SPAM, and CASL. Covers workflows, token expiration, record-keeping, and suppression lists.